Android and Pandora Privacy Rulings Accept Low Hurdle for Standing

A pair of rulings from Judge White in lawsuits involving the privacy practices of Android and Pandora employ a loose standard for standing and allowed plaintiffs in both cases to press forward with their claims.

In re Google Android Consumer Privacy Litigation, 1-MD-02264 JSW (N.D. Cal. Mar. 10, 2014): Judge White recently rejected Google’s request to dismiss claims that Google—through the Android platform—gained access to and improperly passed to third parties (or allowed third parties to access) personal information:

  • class Members’ home and workplace locations and current whereabouts;
  • several universally unique device identifiers (“UUIDs”) assigned to Plaintiffs’ Android mobile phones;
  • other device-specific data that was useful to Google and third parties for purposes of “device-fingerprinting;” (i.e., the creation of a back-up unique identifier to engage in tracking of a particular device);
  • along with personal information about Plaintiffs such as their gender and age, what functions Plaintiffs performed on Apps, search terms entered, and selections of movies, songs, or restaurants.

Highlights of the ruling:

  • the court rejects Google’s standing argument, finding that at the pleading stage, plaintiffs have sufficiently alleged standing
  • the court grants Google’s request to jettison the Computer Fraud and Abuse Act claim, finding that even if plaintiffs’ damage allegations are aggregated, they fail to satisfy the damage threshold
  • the court dismisses the UCL claim based on the unlawful prong since it piggybacked on the CFAA claim
  • the court declines the request to dismiss the UCL claim based on the unfairness prong (“Unfair simply means any practice whose harm to the victim outweighs any benefits.”)
  • the court also declines the request to dismiss the UCL claim under the fraudulent prong – here, the court cites to Google’s privacy policy and says that several of Google’s actual practices are allegedly “contrary to the representations in Google’s privacy policy”
  • finally, the court also rejects Google’s argument that plaintiffs are not entitled to restitution because money wasn’t paid directly to Google

The court also cites to the recent ruling in a privacy lawsuit against Apple, which initially left some claims standing but ultimately dismissed those claims at the summary judgment stage. (See Privacy Plaintiffs Lose Because They Didn’t Rely on Apple’s Privacy Representations — In re iPhone App Litigation.)

Yunker v. Pandora, No. 11–CV–03113 JSW (N.D. Cal. Mar 10, 2014): Pandora was sued for making misrepresentations regarding its disclosure of personal information to third parties. The court initially dismissed the lawsuit in an order that made me think plaintiff would not want to re-file, but plaintiff, along with other putative class action reps, re-filed. (See “Judge Boots Privacy Lawsuit Against Pandora but Plaintiffs Can Replead – Yunker v. Pandora”.) This time around the court declines Pandora’s motion to dismiss.

Pandora’s privacy policy provides that it will:

use and share non-personally identifiable information, such as general demographic or location information, or information about the computer or device from which you access [the Pandora App]. Additionally, we may de-identify personally identifiable information and share it in a de-identified or aggregated form with third parties, advertisers and/or business partners in order to analyze [Pandora] usage, improve the Pandora Services and your listener experience, or for other similar purposes. The use and disclosure of such information is not subject to any restrictions under the Privacy Policy. [emphasis added]

Plaintiffs claimed that sharing of personal information such as age, gender, location, and the device identifier violated the privacy policy, which promised to only use such information to analyze usage, improve services, “or for other similar purposes.” Some of the plaintiffs were premium (paying) customers.

Standing: The court previously concluded that plaintiff failed to allege sufficient facts to satisfy standing but this time around, says that plaintiffs’ allegations regarding “decreased memory space” satisfies standing. The court also cites to their allegations that their PII was economically valuable and that plaintiffs would not have paid fees or turned over their PII had they known how Pandora would misuse it.

UCL Claim: The court previously dismissed the UCL claim on standing grounds, but this time around says that plaintiffs satisfy standing. The court cites again to the use of memory and additional fees incurred by plaintiffs.

Breach of contract: The court also declines to dismiss plaintiffs’ breach of contract claim. Pandora argued that the privacy policy is not an agreement but the court disagrees (without any real citations). As for damages, the court again cites to “the overage [plaintiffs’ suffered] on their data and memory plans.”

Privacy claim under the California Constitution: The court previously dismissed this claim because Pandora’s acts were not an “egregious breach of the social norms underlying the privacy right.” Plaintiffs’ amended complain doesn’t change the court’s view.

__

Ouch. A diluted test for standing strikes again. Both of these cases are good examples of a court applying nominal scrutiny to the allegations of a privacy plaintiff. It’s tough to mark an exact point where a shift occurred, or even know that it has, but my sense is that standing is increasingly becoming less useful for defendants in privacy cases. These cases don’t raise the issue of statutory standing, where courts have always been more permissive; at this point, these cases involved UCL and breach of contract claims.

These lawsuits may end up going the way of the first generation cookie lawsuits. The slight difference between the two is that while the previous lawsuits were based on privacy intrusions that occurred while plaintiffs were using free services, these lawsuits involve products that were nominally purchased. For this reason, the unfair competition claims are a good hook, at least at the initial stages. Further factual development may show, for example, that the plaintiffs did not rely on Google’s representations or that they haven’t been harmed in a benefit-of-the-bargain sense. This is ultimately what happened with the iPhone app litigation, and I wouldn’t be surprised if a similar outcome was in store for these plaintiffs. [It’s unclear as to the precise extent to which the Pandora plaintiffs’ status as paying customers affects their overall chances. Only some of the plaintiffs are paying customers, but the court doesn’t specify whether the chances of recovery are different for paying versus non-paying customers.]

The Pandora ruling in particular is a good lesson on the privacy policy drafting front. Companies are reluctant to come out and say that they will use personal information for “marketing purposes,” but that’s what Pandora should have done here. Granted, their privacy policy is equivocal, and there is arguably helpful language that use of “de-identified personally identifiable information . . . is not subject to any restrictions” under the policy, but this conflicts with the policy’s listing of the types of uses for de-identified information. There is always some tension between various stakeholders, but a good line to draw would be to assure customers that you would not use their personal information for “direct marketing” (perhaps defined as marketing via email, telephone, postal mail and other similar means), but you would use it for other types of marketing. Or perhaps that you would use demographic information for marketing. It’s also worth noting that both the court’s ruling and the policy as interpreted by the court use a broad (or ambiguous) definition of PII. (Cf. “California Supreme Court Rules That a ZIP Code is Personal Identification Information — Pineda v. Williams-Sonoma“.)

As a final note, I wouldn’t be surprised if the allegations regarding the collection and transmission of information by Google and app-developers have some shred of truth to them. These lawsuits are typically fashioned around the findings of security/privacy researchers that have some measure of reliability. Of course, that doesn’t mean that it was a conscious decision by Google, or even that there’s a direct financial benefit as a result of the collection and disclosure of information in question. Still, it’s a sad state of affairs when the biggest mobile platforms are facing allegations that their privacy practices turned out to not be as promised.

Case citations:

– In re Google Android Consumer Privacy Litigation, 1-MD-02264 JSW (N.D. Cal. Mar. 10, 2014)
– Yunker v. Pandora, No. 11–CV–03113 JSW (N.D. Cal. Mar 10, 2014)

Related posts:

Privacy Plaintiffs Lose Because They Didn’t Rely on Apple’s Privacy Representations — In re iPhone App Litigation

Class Action Against Path Over Cellphone Address Book Access Keeps Going

Judge Koh Whittles Down iPhone App Privacy Lawsuit

Google Wins Cookie Privacy Lawsuit

Flash Cookies Lawsuit Tossed for Lack of Harm–La Court v. Specific Media

Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff — Claridge v. RockYou

Another Lawsuit over Flash Cookies Fails — Bose v. Interclick

LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn

Facebook and Zynga Privacy Litigation Dismissed With Prejudice [Catch up Post]

New Essay: The Irony of Privacy Class Action Lawsuits

The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon

A Look at the Commercial Privacy Bill of Rights Act of 2011